iCloud gains an extra layer of security in wake of increasing security threats.

Apple has finally responded to increasing online security threats by introducing two-step authentication for iCloud. Like Google and other companies that already employ two-step authentication, Apple's system would provide an extra layer of security on top of the existing iCloud passwords when users try to access their accounts from unrecognized devices. iCloud users can set up two-step authentication on Apple IDs today by going to the Apple ID website and clicking the "Password and Security" tab.

Apple walks you through the process on its Apple ID management site.

For Apple, this means an authentication code is either sent via SMS to a phone number or found within the Find My iPhone app (if you have it installed) whenever you try to log in from somewhere new. This means that a potential attacker will have a harder time getting into your iCloud account without having physical access to your "trusted" device receiving the code. (Users are prompted to set up at least one trusted device when they turn on two-step authentication, though you can have more than one if you like.) Currently, two-step authentication is available to iCloud users in the US, UK, Australia, Ireland, and New Zealand.

One of the benefits to setting this up on your iCloud account is that you'll no longer have to rely on security questions—which are inherently insecure—in order to gain access to your account if you lose your password. The downside (if you consider it that) is that once you set up two-step authentication, Apple will no longer be able to reset your password for you should you lose or forget it. This is what ended up biting Wired editor Mat Honan in the behind when his various accounts were compromised—hackers were able to gather enough personal information from Honan's e-mail and Amazon accounts to trick Apple support into resetting his iCloud password, giving them free reign to remotely wipe his iPhone, iPad, and MacBook.

Apple's move to introduce two-step (also called two-factor) authentication to its online services follows in the footsteps of numerous other tech companies, from Dropbox to Facebook, which have done so over the last year. (Twitter has not yet implemented it, but says it plans to do so.) Google has offered two-step authentication on its services for a couple of years now, but the feature had not gained much attention or awareness from the general public until after Honan's hack last fall.

This isn't necessarily about iCloud per se, but two-step verification can have some nasty consequences that most of us are lucky enough not to have to worry about. I work tech support at a large public library, and a big part of my job is helping people (especially those without computer access at home) use the internet to move resumes around.

Two-step verification might be more secure for upper middle class folks with reliable cell phone access, but a lot of people who desperately need to use cloud storage services (because they need to send off resumes and don't have a flash drive, computer, or home to keep any of these things in) don't have easy access to SMS, or if they do, don't have access to the same phone number they did a month ago.

As long as two-step is opt-in, it's great, but as it becomes more and more the norm, some of the people who already have the highest barriers to using tech just get left more on the other side of the digital divide.

As long as two-step is opt-in, it's great, but as it becomes more and more the norm, some of the people who already have the highest barriers to using tech just get left more on the other side of the digital divide.

Thanks for posting this. I've been very much of the "2FA or no deal" mentality since it's been available. It's always good to be reminded of things like this.

- Sign in to My Apple ID to manage your account.- Make an iTunes, App Store, or iBookstore purchase from a new device.- Get Apple ID-related support from Apple.

So basically it prevents purchase fraud and changing your account information, but not access to Apple services otherwise. As such you can still log into any of Apple's other sites (icloud.com, developer.apple.com, discussions.apple.com, etc.) with just your password.

Only once you enable two-factor authentication can Apple no longer reset your password. Technically I'm sure it would be possible for them to still do so. From a security viewpoint, enabling the two-factor implies that you want your account to be much harder to access, and removing the ability to reset your password helps enforce that (and prevent what happened to Honan). I don't think this will restrict you from changing your password.

So as asked above, what happens if you lose your phone or have it stolen?

[Personally I've finally got round to using 1password intensively to store all my passwords, but I bet that when my phone stops working will be the one time that 1password isn't available for whatever reason, or I stupidly forgot to enter the new password or I accidentally erase the password bla bla etc ]

What I do is I store my backup OTC's for Google in an encrypted TrueCrypt container on Dropbox, with the key in my two-factor LastPass. I have my Google Authenticator running on both my tablet and phone, both of which are encrypted.

To actually be unable to log into an account, I would need to simultaneously lose my tablet, phone, desktop, and Lastpass Yubikey. For someone to gain access to an account, they would need my LastPass password, Yubikey, and either my phone or tablet (and know those PINs). I'm pretty happy with the security of that setup.

Only once you enable two-factor authentication can Apple no longer reset your password. Technically I'm sure it would be possible for them to still do so. From a security viewpoint, enabling the two-factor implies that you want your account to be much harder to access, and removing the ability to reset your password helps enforce that (and prevent what happened to Honan). I don't think this will restrict you from changing your password.

That was my first thought, too. Why not Canada? It's like teaching the geography of Asia but forgetting China. WTH? In fact, why does it have anything at all to do with where you live? The internet transcends geographical boundaries, and it surely isn't a political thing here, so what gives?

That was my first thought, too. Why not Canada? It's like teaching the geography of Asia but forgetting China. WTH? In fact, why does it have anything at all to do with where you live? The internet transcends geographical boundaries, and it surely isn't a political thing here, so what gives?

Rick25 wrote:

Sigh... apparently they missed Canada on the first round

Worst analogy ever. A: China has a Billion people. B: This has absolutely nothing to do with teaching geography. C: Apple doesn't give a shit how many square kilometers of tundra a country has.

That's what caught me out. My shopping account is Australian, but the account that handles FMI, iMessage and my iCloud backups, is an old German account that I created way back before I left Germany...

Or, they could go the Lastpass route and use 256,000 rounds of PBKDF2.

Because, jeeze, two-step validation is a painfully tedious system for the security provided! Setting strong password with lengthy character sets and hard-to-predict keystrokes is much, much more efficient for the end user. Encrypting those well, even more so.

Or, they could go the Lastpass route and use 256,000 rounds of PBKDF2.

Because, jeeze, two-step validation is a painfully tedious system for the security provided! Setting strong password with lengthy character sets and hard-to-predict keystrokes is much, much more efficient for the end user. Encrypting those well, even more so.

I'm guessing you haven't read the Honan story linked in the article, in which it is demonstrated that the problem solved by two-factor authentication has nothing to do with encryption.

Hooray! And, thankfully this means the end of the farcical "security questions". Although you will need to answer them (or phone apple support and answer some other questions) before you can enable two factor authentication: once enabled, you won't need them any more and maybe should get them reset.

That was my first thought, too. Why not Canada? It's like teaching the geography of Asia but forgetting China. WTH? In fact, why does it have anything at all to do with where you live? The internet transcends geographical boundaries, and it surely isn't a political thing here, so what gives?

In my family, we have multiple iPhones and iPads. I use only my Apple ID on my phone and iPad. My wife uses her Apple ID for her iPhone/iPad, but she uses mine for Apps, music, etc . Does anyone know if it would be possible for either/both of us to turn on two factor authentication?